Firewalls: Re: Sample Security Policy?

Firewalls
(August 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Sample Security Policy?
From:	Alan Dowd <adowd @ inms-db . os . dhhs . gov>
Date:	Thu, 10 Aug 1995 08:50:02 -0400 (EDT)
To:	John Cougar <johnc @ canbtimes . com . au>
Cc:	snd1pmf @ snd10 . med . navy . mil, firewalls @ GreatCircle . com
In-reply-to:	<199508092328 . QAA23996 @ miles . greatcircle . com>

On Thu, 10 Aug 1995, John Cougar wrote:

> Hey Pat
> 
> give away a copy of an organisations Security Policy?!? Not only must
> you be kidding, but also: fat chance.  That'd be as negligent as giving
> away company trade secrets!

NOT! The security policy can be as simple as "all that is not 
specifically permitted is forbidden." It's not the policy, it's how you 
enforce it that _may_ need protection.

Consider a policy for passwords:

	1) all login accounts must have passwords
	2) all passwords must be at least 6 characters
	3) all passwords must contain at least
		a) 1 upper case alphabetic character
		b) 1 lower case alphabetic character
		c) 1 non-alphabetic character

What advantage does this give a potential intruder? What advantage does 
it give the user? the administrator? (Rhetorical questions; solutions are 
left to the student.)

Now if you reveal the enforcement mechanism and make the password file 
available for public scrutiny, then you _may_ be giving something away, 
but if all you reveal is the policy, you give away nothing.

> 
> You can, however, get more than enough info. from the RFC 1244, available
> at any number of archives.  Try an archie server near you someplace.
> 

Here are a few Web sites of interest:

	http://ciac.llnl.gov/cstc/CIACHome.html
	http://www.isse.gmu.edu:80/~gmuisi
	http://hightop.nrl.navy.mil
	http://csrc.ncsl.nist.gov

The last one, the National Institute of Standards and Technology, has a 
separate topic for policies. It can also be reached by anonymous ftp.

> You'll also want copies of the DoD Orange Book,

	... to prop up the corner of a wobbly monitor. The Orange Book 
has absolutely nothing to say about writing policies - it's a set of 
evaluation criteria for trusted systems. For the record, it is available, 
for the asking (as is the whole Rainbow series), from:

	INFOSEC Awareness Division
	ATTN: X711/IOAC
	Ft. Geroge G. Meade, MD 20755-6000
	USA

	+1 410 766 8729

(This latter information changes at unpredictable intervals. Security by 
obscurity at the NSA?)

Electronic copies also exist in many on-line archives.

Regards,
	Al Dowd
	Unix Network Security Analyst
	Management Systems Applications, Inc.

References:

Sample Security Policy?
From: John Cougar <johnc @ canbtimes . com . au>

Indexed By Date	Previous:	Sanitizing SCSI Drives From: "Tucker, R., SrA, 28CS/SCSNS" <TUCKERR @ cs28-2 . ellsworth . af . mil>
Indexed By Date	Next:	Encripted ftp connections From: Atkinson-K @ smtpgw . nctsw . navy . mil
Indexed By Thread	Previous:	Sample Security Policy? From: John Cougar <johnc @ canbtimes . com . au>
Indexed By Thread	Next:	Re: Sample Security Policy? From: ew @ senate . be (Emmanuel Willems)